Are my passwords secure?
ScrumWorks Pro stores encrypted passwords in its database. Passwords
are only transmitted in encrypted form between the client
and the server. One exception is Directory Authentication users, please see the Directory section of this FAQ.
How can I recover a lost or forgotten password?
Passwords are stored using a one-way algorithm. This secures it against attackers,
but also prevents recovery.
If a user loses or forgets their password, a Global Administrator can reset it using the
ScrumWorks Pro Desktop Client's User Manager. If all Global Administrators lose or forget their passwords, please contact support for further instructions.
What is the recommended configuration for keeping my Directory Authenticated users' passwords secure?
-
The ScrumWorks Pro server should be configured to connect to LDAP via SSL (LDAPS).
-
The ScrumWorks Pro server should be configured to use HTTPS. If you are using LDAP, the
passwords sent from the client to the server are sent as clear text (no encryption). This
is because the LDAP server needs the original password to compare against its database. To prevent
password sniffing, HTTPS is required for all client/server communication.
How can I secure the ScrumWorks Pro web client?
The ScrumWorks Pro server should be configured to use HTTPS. All clients
should be directed to https://server:8443/scrumworks/webclient.
How can I secure all client/server communication?